Imagine you're having a CT scan and malware alters the radiation levels – it's doable

As memories of last May's WannaCry cyber attack fade, the healthcare sector and Britain's NHS are still deep in learning.

According to October's National Audit Office (NAO) report (PDF), 81 NHS Trusts, 603 primary care organisations and 595 GP practices in England and Wales were infected by the malware, with many others in lockdown, unable to access patient data.

WannaCry's upshot was to lock staff out of Windows computers, a bad way to learn the lesson that failing to patch old kit has consequences. But there was another, less obvious discovery: medical imaging devices (MIDs) such as Magnetic Resonance Imaging (MRI), Computed Tomography (CT) scanners, and digital imaging and communications (DICOM) workstations were badly disrupted, with serious knock-on effects for hospital workflow even when other systems had been restored.

In today's NHS, and healthcare generally, MIDs matter out of all proportion to their numbers, with some hospitals relying on perhaps half a dozen to cope with large volumes of disease, cancer and pre and post-op operation diagnostics. "It's hard to imagine life without them," a hospital consultant who wished to remain anonymous told The Register.

Costing anything from £150,000 for smaller CT scanners to millions for the latest MRI designs, these turn out to be difficult to defend. Many in the NHS are controlled through applications run from vulnerable Windows XP or 7 PCs, the former reacting to WannaCry by blue-screening, effecting an inadvertent denial-of-service.

As the NAO noted: "This equipment is generally managed by the system vendors and local trusts are not capable of applying updates themselves." The UK's health sector security hand-holders NHS Digital confirmed to the NAO that manufacturer support was often poor, leaving trusts with few defensive options beyond isolating scanners from internal networks in ways that made accessing imaging data impractical.

Denial-of-Scanning

As far as anyone knows, WannaCry's makers did all of this without even meaning to. What if they had set out to take down a hospital, or attack MIDs in a calculated way? The possibilities turn out to have been alarmingly underestimated.

For May Wang, co-founder and CTO of US IoT security firm ZingBox, the proof-of-concept attack on healthcare was Conficker in 2008, not WannaCry in 2017.

"You don't hear about it but the impact of Conficker is actually bigger," says Wang. "But because not everybody is reporting it, we don't see that much impact in public."

It's a staggering thought: almost a decade after it infected hospitals around the world, including 800 PCs at a teaching hospital in Sheffield, a worm targeting a vulnerability in an obsolete version of Windows is still on healthcare's to-do list.

Researching the security of medical devices in 50 US hospitals, ZingBox discovered that, sure enough, MIDs contributed half of the high-risk security issues. The underlying cause? Almost all of these systems were being controlled through Windows workstations, often flaw-ridden versions going back to XP and even 98, which reflects the age of the scanning hardware.

"Because they're using a full-blown OS, they have the capability to use a browser, download applications and to do lots of thing you are not supposed to do on an OS controlling an X-ray machine."

In the US at least, hospitals often try to partially isolate MIDs on VLANS, a strategy which quickly degrades as more devices are plugged into the same network segment.

ZingBox found that only a quarter of the devices on VLANs were medical in nature with the remainder made up of PCs, printers, and mobile devices, all vulnerable to malware that could use them as a staging post to reach MID workstations.

Compounding this is the way the number of connected and IoT-enabled medical devices is growing faster than bio-medical IT staff can keep up, says Wang. In many cases, hospitals don't even audit these devices, which makes protecting them hypothetical.

Ambulance chasing

Noticing the same vulnerabilities as ZingBox, researchers at Ben-Gurion University of the Negev in Israel decided to test out their hunch that MIDs could even be attacked directly by targeted malware.

The team's preliminary findings were published in a report (PDF) in February, which identified CT scanners as the number-one risk. These expose patients to defined amounts of radiation, a setting controlled using a configuration file whose parameters are set from a workstation application.

The EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it.

"This file is basically a list of instructions that the control unit gives to the CT in order to tell it how exactly to perform the scan, including how to move the motors, the duration, the radiation levels and more," says Tom Mahler, one of the report's lead authors.

"By manipulating these files, an attacker can potentially control exactly how the CT will work. This could be very dangerous and lead to radiation overdose, injury and possibly death."

Alternatively, attackers could attempt to mix up the scanning results, "causing mistreatment to the patient or vice versa". In neither example would the CT operator necessarily be aware that something was awry.

Although MIDs from different manufacturers use custom scanning applications, tailoring an attack for any one of these would not be difficult, confirms Mahler.

Having tested 23 different proof-of-concept attacks on MIDs in a simulated environment, Mahler and colleagues bioinformatics expert Professor Yuval Shahar, cyber security expert Professor Yuval Elovici, and and senior researcher Dr Erez Shalom have promised to demo at a security conference during 2018.

The research predates WannaCry, but that malware's appearance served as a giant finger pointing to the weak protection of MIDs and medical devices in general.

"This attack demonstrated how quickly the development of cyber attack could be – the EternalBlue exploit was leaked in April, and the attack took place in May. Microsoft released a critical security update in March, even before the exploit was leaked, and it was still not enough to stop it."

Adding weight, the research was conducted in conjunction with Israel's largest healthcare provider, Clalit Health Services, whose head of imaging informatics is Dr Arnon Makori, who believes, if anything, that WannaCry has been underplayed.

"It was a global wake-up call for the whole healthcare world. I believe the impact was significantly higher than reported and many more devices and systems were affected," he told The Register.

Makori blames a "lack of awareness by the manufacturing companies, conservative operating systems and device architecture and cost benefit considerations" that will only be fixed with "a whole new cybersecurity strategy".

IoT infusion

The risks aren't limited to MIDs, and recent ZingBox research outlines a load of security holes in the design of one brand of IoT-enabled infusion pump, a ubiquitous medical device used to deliver fluids into patients at their bedside.

Hard-coded credentials that could be changed at will, lousy encryption, even the ability to splash a ransom message explaining that the device had been locked – you name it, it's all there.

That means, when we talk about healthcare security, we're mainly talking about information leakage. And in this particular field, we're actually talking about life and death, about interruptions of operations and patient safety, according to ZingBox.

What Wang and Mahler have uncovered is like a version of the panic over SCADA vulnerabilities in power stations – but worse.

"Medical devices are extremely valuable. You can ransom a person's files and it is inconvenient. If you ransom a person's life you will probably get as much money as you want," says Mahler. ®